Abstract

The Web Security scene has been much complex than ever known and its time various industry take a deeper look to it to gain an in-depth gravity of the situation which affects them directly or in-directly. This could come at a blow and wouldn’t let you know until it’s too late. This post will take you mind blown from the recent predictions in terms of Web Security and will let you inform on the latest web attacks in rise and how such attacks are bad for business as well as reputation let alone financial losses. When we talk about industry, this doesn’t have to be the retail industry; it aims at stretch from the medical appliances to the car manufacturing industry and too low down to the Electronic Cigarette industry. That been said, we will look how various industrial assets which have had their presence and continue to have a presence in the web world affects them directly or indirectly and why Web Security for them is an absolute important factor too big a risk to ignore and compromise with the same.

Prediction 2015

I have come across and defined a statistical background check on as many application attack vectors and evidently from the statistical approach have come up to a very conclusive set of industries which could go bankruptcy as well as reputation loss if Web Security part is ignored. Here we have thrown out some of the industries which have a direct impact on business ignoring Web Security at their end.

Medical Department

Web Retail Department and Business Assets

Opensource Platforms

Mobile Devices

There are predictions and un-certainty which counter prove each other but these are the assets which will be involved in the coming days to foresee the future of Web exploitation both from a business perspective and from the impact level perspective. The impacts are however unnoticed and go beyond the hidden curtains of the deep dark corners of the Web. I have compiled them into this post since I know the value and had been regularly going through Red Team Engagement and know the needs which has to be met by end users at the dawn of the day.

Medical IT Emergency Crisis on the Front fore

As far as analysis go, the Web is used to store cloud space in and around most of the time. Computers are connected to the inter-nodes and vast number of devices now have been cloud space centralized to keep their assets at one place to retrieve them without having to access different machine on a given single point of time. This has benefits and so shall have their own version of disadvantages. The rise of cloud storage has brought up some of the security concerns and all of them are related to the Web. ITRC (Identity Theft Resource Center) has recognized the prime rise of data theft which seem to be related to medical data breached in and around the year 2013. This report have left many security researchers astonished and had been wondering why such resources were targeted. Here are the conclusions:

Medical Data have the most PII (Personally Identifiable Information).

With these databases of PII, attackers can gain more financially.

Let alone financially, they have access to medical records and could fake identity.

Identity theft at rise leads to physical security concerns at a National Level.

The theft alone do not confine and go beyond to resource crisis in times of emergency.

Medical records stolen could be sold to a 3rd party for a huge corporate benefits.

These points better tell the story about why attackers would love medical records at their disposal. A huge percentage of medical records, personal healthcare information and data assets remain vulnerable due to improper technical access controls in the system, faulty configurations at endpoints and vulnerabilities which are inherently exploited in the wild to access such records and personal information like SSN, Transaction History, Medial Loan records, patient critical data, and other valuable assets from billing records to medial weaknesses. With political motivation to push medial department to go Web 2.0 and accept data from one end-point to another gives a perfect match to an attacker an advantage point to harness the underlying weaknesses of the Web, since most IT people are still unaware of the technical issues and have really not been trained to assure ‘security’, let alone handle an Incident Response rapidly and mitigating the rising issues swiftly.

Web Retail E-commerce Application Threats

A giant massive application exploitation vectors are available to the attackers. With that said, these exploitation techniques keep moving forward and keep changing rapidly with evolving web architectural setup and the platform environment used. It is predicted, at the end of any particular given day, on an average each Retail applications left unpatched, go through at least minimum ten times the attack either from automated botnets which are per-configured to scan the whole internet for web based vulnerabilities or manually by an attacker if targeted at his/her expense of time. Web Retail sector primarily which are e-commerce based are targeted for either personal gain such as by tampering the amount and buying a product to stealing personal information of customers who have been regular to the eCommerce sites. This alone does not just restrict to user compromise or financial gain, but have an impact in the trust relationship a business had built among several years of hard work. A minor bug in the application can change the visionary destiny of a business value to end up in miserable condition. This has happened in past, has been happening in the present and will continue to happen in the future with increasing number of web technologies and the loopholes they leave behind by default. The latest security threat which had and is having an impact to harnessing database records are SQL Injection. However, with rising application frameworks which support defenses against the aforementioned fail conveniently since there are still vulnerabilities of the 2nd order Injections and using an ORM wouldn’t just fit the security controls which are in place current.

Ecommerce would lead to rising data theft.

These data would be used for identity theft or personal financial gain.

The data could be exchanged on black-market forums which are equally in rise.

Reputation cost and a complete compromise silently is an evolving fashion.

What’s the steal for an attacker?

Attackers would find new targets irrespective of the fact what new technologies are put in. They are going to investigate newer potential vulnerabilities in weaker CMS’s or in the application and will find a way in moving from one target to another.

Exploitation for attackers are going to be easier with automated blind payload throwing tool-set which gives the sheer power to an attacker at their desk. The elite ones target a specific one application which they could break at their time expenses whereas others would blindly fir their tools against any application they find pleasure with and this will evidently give the attackers a potential foothold entry point to any level of attacker with a chance to steal.

The databases extracted from Ecommerce sites are highly paid in black-markets. The financial gains are much more than the usual data. The payoff is exponentially growing with rich databases an attacker could sell off. This evidently has been rising and will continue.

There’s no such thing as a secure web platform which has already not passed a verification using an application penetration testing phase. The points I had mentioned will always be looked forward constantly by an attacker to gain an initial foothold silently on the application and this in return could yet lead to server level security compromise and security by offensive means to pre-test the application is the only defense against any real world scenario attack. This is known as Red Team Engagement or a Penetration Test Engagement who would ensure total application security and assist the Web Ecommerce Business Enterprise Department to an overall application security posture.

Open source is just not the Security Fit!

There has been a lot of recent critical security concerns regarding use of open source platforms and since they are free of cost, a large portion of business asset use them for their application deployment knowingly or un-knowingly. Let’s cover the ‘knowingly’ situation first and if we look deeper, the increase in WordPress sites have been at peak since everyone has to have a blog and that is the trend to promote business. For marketing purposes, or let alone to advertise seamlessly using 3rd party blogging platform, vulnerabilities on these platforms keep evolving fast since the ‘code’ comes free and open and available to all users including malicious attackers who study the code, identify weaknesses and exploit them in wild silently until it is publicly almost disclosed. The time period between releases of 0days to full disclosure takes the impact on several critical assets by toll and this has been always increasing. To come up on the ‘un-knowingly’ part, certain inherent proprietary system readily used ‘OpenSSL’, which were originally considered as the strictest form of security, but what it ended up with? A critical flaw in SSL which opened eyes after years of silent exploitation. This time period sure had have exploiters making them rich already with the un-observed critical flaw using Open Source ready at every disposal system.

OpenSSL had a serious flaw which were considered safe for years.

Heartbleed was discovered which again blew the World Wide Web apart.

Shellshock went ahead and gave a hammer to exploitation to the system compromise level.

Considering Open source to be safe by default without an audit would certainly end up bad.

It’s important here various web presence based industries known their real value and try dissecting their proprietary code and open source code manually and test them with security audit services before deploying them at their production without any verification been done. It would always be a risk to deploy any part of the source code without first verification and unit testing all the portion including testing for security vulnerabilities which could just be hidden in the libraries; be them proprietary or open source. It’s a matter of time to break these applications and access hidden critical appliances to evade functional access control features or bypass them although every possible prevention have been placed exactly where it should had been. A proper prior expert application security testing is an absolute necessity with time and this should happen before deployment. If applications are already deployed and are in middle of operational phases, the applications urgently need a security check!

Mobile Applications are new portability to (in)-security!

Attackers love the dialect of what is used in wild and which ones are convenient and easily accessible to everyone harnessing the benefits of the attack surface they can hunt! Some of these rising trends have particularly been mobile platforms. And when we talk about these platform, we have not been limiting ourselves to declare specific ‘Android’ based mobile platforms but Windows and IOS as well. With increasing social platforms and apps on the go from retail eCommerce apps to travel, educational, enjoyment, fun, leisure, gaming apps and installation easy as one click, there is a need to re-think all of these and surely one would notice why mobile devices have to be the favorite among the list of target, attackers might dwell their brain cells on. Could we trust this huge data sources?

Google might just have done a neat job at malware prevention, but would yet fail to completely neutralize attacks. Alternative attack surfaces are plenty to either compromise a 3rd party service via a mobile device or compromise the mobile device itself. That latter might be targeted and require dedicated attention. Most android devices still have outdated OS installed without any fixes for major android security vulnerability disclosures which is why they will remain vulnerable. They rest which are updated fall prey to OEM layer vulnerabilities and latest 0days in rise with regards to Android Platform.

Mobile Application threats are already on rise due to global acceptance ratio of number of people using these devices which are now too easy for an internet connection and easy to be connected to the WWW on the go.

There could be a required audit needed for Insecure Data Storage.

There could be data leakage which could conclude personal data leak.

There could be authentication risk which has everything to do in the first place.

There are possible ways for client side injections coming from untrusted sources.

All of these will only lead to serious personal damage and if applications were not tested and deployed will cause serious reputation value of the one delivering it. This has been in rise from 2012 and had been very active until 2013. Year 2014 late saw some serious SOP bypass using the latest default browsers which came along with android and have been serious dealt with at the end. It will be ongoing aspect of primary application threat research and will always keep the attackers interested since the goal here is to reach millions, if not billions already using mobile application using mobile devices which are so easily intercepted and used majorly in day-to-day life.

Remediation’s and Recommendations

I suggest to keep a track on every aspect of Web which is in use at present and have an affect either directly on in-directly with your personal web records as well as business records. Identify why a certain Web property would require your complete attention for its security and why it’s essential to you in the first place. If there is a business involvement, are these business assets protected and verified in accordance to any pre-engagement done on these properties? Have they went a complete fool-proof security testing phases to meet the end goal or they are silently stopped by silent poisoned attack which have an adverse effect on you and your business? Personally, is your reputation at stake if any of the properties which you own, both personally or professionally are compromised? If there a way you could had prevented it but never made or never knew how you’d go about the first steps?

There is a remediation and recommendations to this; and the only solution is a prior Application Testing which would meet your end goal and preserve your properties with a strict security policy.

About Defencely Inc.

Defencely Inc. was founded with a visionary effort towards application security services with its presence in Texas, US whose primary operational task is to go beyond the realm of automated scanning conventions often prone to failures. Due to complex web architecture establishment with additional web service support and different web technologies used in these architectures, applications hence with better reasons need a legendary application security service to prevent corporate industries suffering from massive web attacks leading to compromises silently. Defencely Inc. provides the ultimate solution to the rising application security risk associated with rich applications being deployed. Our prime focus have been on application security for enterprise level business.

Our Business model is positioned around Talented & Unique WHITE- HAT ETHICAL SECURITY ANALYSTS, who constantly monitor your websites, thoroughly initially, which is known as Vulnerability Assessment followed by a Penetration Test; and then on an ongoing basis for continued solid protection against any malicious attempts leading to security compromise or loss of application integrity via exposed vulnerabilities in open to wide range of malicious attackers taking advantage of the loopholes. Security isn’t a formula for once, it’s a process and hence our application security experts make help the web world stronger with the Defencely Inc. services globally. We comply our business with NDA based assessments. Defencely Inc. is primarily focused on Critical Level vulnerability assessments and application security audit solutions for cloud based website assets, web application assets and business logic level application assets which has a functional business impact on its customers and itself. We conduct manual driven vulnerability assessments, penetration test and source code reviews; as we believe almost all vulnerabilities, globally, arise out of coding issues. DEFENCELY Inc.’s Web Application Vulnerability Assessment and Penetration Test Services takes on an Application from the viewpoint of a malicious hacker, and locates any logical and technical defects to begin with patching the found weaknesses which could escalate into a concerning security issue.

Author Bio: Shritam Bhowmick is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is ever growing and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement and also holds experience training curious students at his leisure time.